http://dx.doi.org/10.4236/ijcns.2012.51001 Published Online January 2012 (http://www.SciRP.org/journal/ijcns)
Computation of Complex Primes Using Elliptic Curves:
Application for Cryptosystem Design
Boris S. Verkhovsky
Computer Science Department, New Jersey Institute of Technology, Newark, USA Email: [email protected]
Submitted December01, 2011;accepted January 16, 2012
ABSTRACT
This paper provides several generalizations of Gauss theorem that counts points on special elliptic curves. It is demon-strated how to implement these generalizations for computation of complex primes, which are applicable in several protocols providing security in communication networks. Numerical examples illustrate the ideas discussed in this pa-per.
Keywords: Communication Security; Gauss Formula; Complex Primes; Points Counting; Modular Elliptic Curve; Applets; Dual Elliptic Curves
1. Introduction and Gauss Formula for
Counting Points
Knowledge of how to count the number of points on el-liptic curve (EC) provides certain advantage in the design of cryptographic systems for secure communication in various applicational environments (transfer of funds in banking, transmission of sensitive information between inventor and his/her attorney, national security agencies, military applications, diplomatic communications, gover- nmental operations, control of weapons of mass distrac- tion, telemedicine etc.). In general, algorithms for count- ing points on an EC are in the domain of algebraic [1,2] and algorithmic number theories [3,4]. Only in special cases it is possible to provide a closed-form solution [5]. Although validation of these algorithms requires applica- tion of algebraic number theory, which is beyond the scope of this paper, their description is rather easy to un- derstand for cryptographers and application-oriented com- puter scientists.
In this paper we provide several generalizations of Gauss theorem and then demonstrate how to apply them in selection of complex prime parameters for the design of the cryptographic systems. These generalizations are based on intensive computer experiments (CE). As a re-sult, not all proofs that validate the algorithms are pro-vided. Instead, we formulate various conjectures and propositions that are supported by results of these CE.
1.1. Gauss theorem:Consider the elliptic curve (EC)
2 3
mod
y x x p
2 2
pC F
2
E p C
, (1.1)
where p is a real prime; let E denote the number of
or-dered integer pairs (x, y) that satisfy Equation (1.1); every such integer pair (x, y) is called a point on the EC. There are two major cases:
1). If pmod4=3, then EC (1.1) has p points {excluding the point at infinity O [1]};
2). If pmod4=1; , where C is odd; (1.2) and
(C+F)mod4=1; (1.3) then
; (1.4)
2 2
C F
{excluding the point at infinity O} [4].
If Condition (1.3) holds, then the Gauss Formula (1.4) can be applied to compute a complex prime (C, F). This application is based on the observation that an ordered pair of integers (C, F):=C+iF is a complex prime if and only if its norm is a prime [5].
However, not all complex primes have components C
and F that satisfy (1.3). For instance, (C, F)=(5,2) is the complex prime; yet (5+2)mod4=3.
Therefore, the algorithm provided below is non-deter- ministic, sinceits application is restricted by C. F. Gauss Theorem [5].
1.2. Non-deterministic algorithm for computa-tion of complex primes:
Step1: Select a prime pmod4=1;
Step2:Count the number of points E on EC
2 3
mod
y x x p (1.1);
Step3: Compute
: 2
R pE ; S: p C 2; (1.5)
Step4: If
RS
mod 41, then repeat Steps 1-4;Step5: If R is odd, then (C, F):=(R, S)
else (C, F):=(S, R). (1.6)
Remark1.1: Although this algorithm is not determinis-tic, yet, after s trials it finds a complex prime (C, F) with probability 1 1 2 s
E a
2 3
mod
.
Integers 61, 977, 1777, 1913, 1933, 4133 are examples of primes, for which Condition (1.3) does not hold.
The following conjectures and propositions generalize Gauss theorem and, as a byproduct, allow to design a
deterministic algorithm that computes complex primes for every real non-Blum prime p {pmod4=1}. These pro- positions and conjectures also provide insights that help to understand how various criteria were derived and ap- plied for integer factorization algorithms that were de- scribed in papers [6,7] recently-published by the author of this paper.
2. Generalizations of Gauss Theorem
As it is shown below, in certain cases the number of points on EC
y x ax p
2 G a C F, ,
1
mod 4 2F C
x
modp
mod 4 2
C C
ax
modp 1a
(2.1) can be represented as
E a p C ; (2.2)
where G(a, C, F) is equal either 1 or .
Remark2.1: In all following discussions, the point at infinity is excluded from the counting.
Conjecture2.1: Considertheelliptic curve (1.1), where
p is a prime; if Condition (1.2) holds, then
1 2
E p C . (2.3)
Conjecture2.2: Consider elliptic curve (EC)
2 3
y x ; (2.4)
where p is a prime and let condition (1.2) holds; then for every F
1 2
E p . (2.5)
Conjecture2.3: Consider EC
2 3
y x , (2.6)
where ; and let (1.2) holds; then
2
1
E a p CF a 2 mod 4 2
Cif
1 and 1; 1 and 1.
C a
C a
[image:2.595.310.539.117.187.2](2.8)
Table 2.1. Generalized Gauss formula if EC is
(2.7)
Corollary: Equation (2.7) implies that if Fmod4=0, then elliptic curves (1.1) and (2.4) have equal number of points {see Table 2.1}.
Equation (2.7) can be also presented as
( ) 2
mod 4 2 or mod 4 2
E a p C F
2 3
mod y x x p.
a p 1777 1913 6101 514229 919393
C;F 39;16 43;8 25;74 377;610 823;492
–1 #E(–1) 1855 1999 6151 514983 921039
#E )
1 (1 1855 1999 6051 513475 921039
ples of random -
s te B ri tha fir ul
(2 n ).
[image:2.595.50.540.312.740.2]Remark2.2: Elliptic curve (1.1) considered by C.F. Ga
ble 2.1). The same property holds for The table ab
elec
ove pr lum p
ovides mes
exam t con
ly as (2.3),
d non- m form
.5) a d (2.7
uss has a remarkable property: if p=1777, then
E(–1)=1855 {C.F. Gauss wasborn in 1777 and died in 1855}, (see Ta
x x
mod1777
: E(1)=1855.
3. Points on Elliptic Curves
In some applications and applets it is necessary to find at ular Diophanti
2 3 y
least one solution of mod ne equations
2
2
mod
y x x a p(1.1); or
2
2
mod
y x x a p(2.4).
Several special cases are listed be here such so-ons can be provided in closed forms.
1: If
4 1
: 2 k ;
a (3.1) low, w
luti
Case
then for every k0
2 1 3 1
, 2k , 2k
x y ; (3.2) is on EC y2x x
2a
modp.2
2w
a ; ery odd w
Case2: If
(3.3)
then for ev
3 1 2
, , 2w 2 w
x y ; (3.4) is the point on EC
2 2
mod
y x x a p (3.5)
Case3: Let x2 a xb2;
consider
2
b ; (3.6)
then :
ax x
2 2 2 2 y x x a x b .
Therefore, y = bx, i.e., (x, bx) is on EC
2
mod
x x a p. (3.7)
2 y
, if a=5, or a=6, or a 3, then respectively (5,10),
Hence =–
3
4. Counting Points on Elliptic C
2
da
nt
n EC n
8 for an expl ation}.
non-negative integer; p is a prime,
F ; let E d
denote the number ).Elliptic curves with coeffic ents a 2
n4.1: If
od8=0; (4.2) ponent
posit
Fmod8=4; (4.4) then
2 E 2k ;
mod 4 2tion4.3: If Fmod4=2, then the number of points e EC is equal
if is
F d o
holds
mod 4
E d .
g equations hold:
mod
C
Fmod 8 4
F.nsidered in
Proposi-5. Counting Points
on Dual EC
urves with
In order to design an efficient algorithm that computes complex primes, it is necessary to know how to cou points o (2.1), where |a| is not equal 1; {see Sectio
an Consider an EC
2 3
2d mod
y x x p, (4.1)
where exponent d is a
2 2
pm
of points on
od4 = 1; pC
the EC (4.1
i d have remark- able cyclic properties.
Propositio
Fm
then E d
is independent of ex d, i.e., is the same for all d; and
E d p 2C C
mod 4 2
. (4.3)Pro ion4.2: If
0E E
1
3E E E
2k1
; (4.5) and
1 2dE d p C C. (4.6)
Proposi
on th
2 if is and 2
p C d even p dd. (4.7)
Proposition4.4: For every non-negative integer d the following equation
E d (4.8)
Proposition4.5: If Fmod4=2, and if d=2m<4, then for
m=0 and m=1 the followin
2 2
1mE m p 4 2
C; (4.9) if d=2m+1<4, then
2 1
1mE m p (4.10)
Table 4.1 illustrates all cases co tions 4.1-4.5.
Proposition5.1: Let G d
be the number of points on the dual EC
2 3
2d mod
y x x p; (5.1)
ative
then for every non-neg integer d
2
G d E d .
Proof is provided in [7].
ition 5.1.
6. Counting Points: Detailed Descr
on how to coun
here ints (5.2)
Tables 4.1 and 5.1 illustrate Propos
iption
In this section we provide a detailed description t the points on the EC (5.1).
Conjecture6.1: If prime pmod4=1; pC2F2
, w
C is odd; and Fmod4=2, then the number of po
G d on EC
2 3
2d mod
y x x p i
s equal
dmod 4 2G d p2C 2Cmod 4 1 ; (6.1) if d iseven;
however, if d is odd,then there are two cases:
2 or 2G d p F p F.
(6.3)
b). if d=4k+3, then
G(d)=p–F(4–Fmod8). (6.4)
The following :
(6.2)
a). if d=4k+1; then
G(d)=p+F(4–Fmod8);
formula summarizes all cases of Con-jecture 6.1 for odd d
mod 4 1 24 mod8 1 d
F F (6.5) ( )
G d p
Fmod8=4, (6.6)
then for every integer k
2 2CifCmod 4 1G k
p Conjecture6.2: If
2Cif Cmod 4 3
p
; (6.7)
2 if mod 4 2 12 if mod 4
p C C
G k
p C C
and
1 3
njecture6.3: If
Fmod8=0, then for every d
. (6.8)
Co
(6.9)
G d p 2C
2Cmod 4
. (6.10) For eves
Proposition6.4:
prime p elliptic cur
very integer b, d andnon-Blum
2 3
mod d
y x b x p; and
Table 4.1. Number of points y2=(x3+2dx)modp.
p C F d=0 d d=2 d=3
on EC
=1
53 7 2 67; p+2C 49; p–2F 39; p–2C 57; p+2F
73 79; C 79
295 C 289; F
C 1039
1933 1 2017;
C 4009; 2F
3 8 p+2 79 79
97 9 4 79; p–2C 115; p+2C 79 115
257 1 16 255; p–2C 255 255 255
317 11 14 339; p+2C 345; p+2F ; p–2 p–2
977 31 4 1039; p+2C 915; p–2 915
13 42 907; p–2C 1849; p–2F 1959; p+2C p+2F
4133 17 62 4099; p–2C 4257; p+2F 4167; p+2 p–
Ta ber of po y2=(x3–2d
p C F d=0 d=1 d=2 d=3
ble 5.1. Num ints on EC x)modp.
109 3 10 103; p–2C 129; p+2F 115; p+2C 89; p–2F
9 103 2C 91 C
1
40 C 425 2F
77 31 4 9; p+ 5; p–2 1039 915
1933 13 42 1959; p+2C 2017; p+2F 1907; p–2C 849; p–2F
4133 17 62 4167; p+2C 4009; p–2F 99; p–2 7; p+
2 3 od 4
m
y x x (6.11)
a s. Proof is provided in [7].
7. Computation of Complex Primes:
nd only if
2
en find its representation as a sum of two integer squares (7.1). The c
dm
odp
b then T
h ve the same number of point
Deterministic Algorithm
Since the complex integer (C, F) is a prime if a its norm
2
:
N C F (7.1) is a prime, in a naïve approach we can first select a non- Blum prime p, and th
omplexity of such an algorithm is of order
p . Instead we can apply thegeneralization of Gauss Theorem described above; {for further details see Table A1 the Appendix}.
Step1: Select a prim =1; in e pmod4
(7.2)
Step2: Count the number of points E(a) on EC
re a 1;
2 3
mod
y x ax p , whe
Step3: Compute C: pE a
2; and
2 2
: ; then 2 ,
F p C pC C F a
then E(–1)=433459 C, F)=(17711,109
8.
ts on
od
F
. (7.3)
Example7.1: Let p=433494437; 1; 015; and ( 46).
Complexity Analysis
Schoof-Elkies-Atkin (SEA) algorithm counts poin elliptic curves y2 x3axm
4
p with expected runn- ing time T O log
p
if a 1 [1]; {the SEA is not applicable if Therefore, if pO 2
1000 ,9. Conclusions and Unsolved Problem
12lo 10
per we consid i
the nding algorit s that s the number of integer points each of these ECs.
these cases we provided c sed-form solutions with one exception {see Section A3 in Appendix, where aders of
oints on elliptic curves based on my al-gorithms. Results of computer experiments provided in
g these applets.
, Boca Ra-
.4 1000
g 2
In this pa ered fam lies of modular equa-tions (called EC) and correspo hm
count on
For all lo
we provided that case as a Challenge to the re this paper}.
Finally, we provided a deterministic algorithm with polynomial time complexity that computes a complex prime (C, F) for every real prime p. In [9] is demon- strated how to implement the complex primes in crypto- graphic systems based on double moduli reduction, where one modulus is a real prime and another modulus is a complex prime.
10. Acknowledgements
I express my gratitude to K. Engemann, D. Kanevsky and R. Rubino for their comments and to my former stu- dents for their assistance in creation of applets that count the number of p
this paper were performed usin
REFERENCES
[1] R. Lercier, D. Lubicz and F. Vercauteren, “Point Count- ing on Elliptic and Hyperelliptic Curves,” In: H. Cohen and G. Frey, Eds., Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman and Hall/CRC
[image:4.595.83.512.101.230.2]5
ton, 2006, pp. 407-453.
[2] K. Rubin and A. Silverberg, “Ranks of Elliptic Curves,” Bulletin American Mathematical Society (New Series), Vol. 39, No. 4, 2002, pp. 455-474.
doi:10.1090/S0273-0979-02-00952-7
[3] A. Lauder and D. Wan, “Counting Points on Variety over Finite Fields of Small Characteristics,” In: J. P. Buhler and P. Stevenhagen, Eds., Algorithmic Number Theory, Cambridge University Press, New York, 2008, pp. 579- 612.
[4] R. Schoof, “Counting Points on Elliptic Curves over Fi-nite Fields”, Journalde Theorie des Nombres de Borde- aux, Vol. 7, No. 1, 1995, pp. 219-254.
doi:10.5802/jtnb.142
[5] C. F. Gauss, “Disquisitiones Arithmeticae,” Verlag, Got-
ar Elliptic
Equa-Journal ofCommunications,
Net-tingen, 1863, p. 483.
[6] B. Verkhovsky, “Integer Factorization of Semi-Primes Based on Analysis of a Sequence of Modul
tions,” International
work and System Sciences, Vol. 4, No. 10, 2011, pp. 609- 615. doi:10.4236/ijcns.2011.410073
[7] B. Verkhovsky, “Algorithms for Integer Factorization Based on Counting Solutions of Various Modular Equations,” International Journal ofCommunications, Network and System Sciences, Vol. 4, No. 11, 2011, pp. 675-682.
doi:10.4236/ijcns.2011.411083
[8] L. Dewaghe, “Remarks on the Schoof-Elkies-Atkin Algo- rithm,” Mathematics of Computation, Vol. 67, No. 2 1998, pp. 1247-1252.
23,
doi:10.1090/S0025-5718-98-00962-4
[9] B. Verkhovsky, “Double-moduli Gaussian Encryption/De- cryption with Primary R
ternational Journal of Communicati
esidues and Secret Controls,” In- ons, Network and System Sciences, Vol. 4, No. 8, 2011, pp. 475-481.
doi:10.4236/ijcns.2011.47058
APPE DIX
ments
e A1. Generation of Gaussian primes via EC y2=x3+ax(modp).
od4 Fmod4
N
A1. Computer experi
Tabl
EC p E(a) C F (C+F)m
1
a 1000249 1001359 555 832 3 {GGT} 0
1
a 100 53 1 9
1
a a
1
a 4 4
02 000947 347 38 1 {GGT} 2
3276509 3278599 1045 1478 3 {GGT} 2
1 10006001 9999999 3001 1000 1 {GGT} 0
33,494,437 33,459,015 17,711 10,946 1 {GT} 2
Legend: GT a Gauss T T=via Gener s Theorem.
imes using EC y=x3–2x(modp).
p
[image:5.595.86.510.383.455.2]=vi heorem; GG alized Gaus
Table A2. Generation of Gaussian pr 2
2
E C F
780,291,637 p+2F; 780,320,985 23,769 14,674
77,777, 777 p+2C; 77,778, 955 19 9 19 6
59,60 249 p+2C 363 20 7 12 0
99,1 p–2 1 2
677, 071, 7,08 7,31
4,644,783,353, ; 59,604,645,200,773, 8,710,05 6,667,90
94,853,094,755,497 C; 99,194,852,763,595,215 65,580,141 67,914,296
A2. Genera
lizations
Consider
mod
, 2 dy x x b p b ; (A1)
CaseA1: If 2 is a generator or there exist h that
er
2 2 mod 4
2dz m
y x x
and find E(dzmod4), {see (5.1) and (5.2
ExampleA1: Let p=73, b=37, d=2; th
e,
E(dzmod4)=E(70mod4)=E(2); (6.5). Si
2 2
s an integer z
suc
2z b modp ; (A2) then consid
odp
)}. en
35
2 37 mod 73 , i.e. z=35.
Therefor
nce 2 2
733 8 , then E(2)=79. a generator o
CaseA2: If b is r there exists an integer w
(A3)
2 (mod )
b p .
Now consider
1 mod 4
2 2
( 2d p w )(mod )
y x x p ; (A4) and find E(d(p–w–1)mod4).
jectures A1-A3 address the cases where an such that
2(mod ) w
b p , then
1
d p w d
CaseA3: Con
[image:5.595.87.512.492.552.2]Table A3.1. # of points E 3–3dx
53 89 101 113 137 257 353 449 653
(3,0) on y2=(x )modp; if d=1, then E(3,1)=p+2F. p
(C, F) (7,2) (5,8) (1,10) (7,8) (11,4) (1,16) (17,8) (7,20) (13,22)
d=0 p–2C p–2C p+2C p+2C p+2C p–2C p–2C p+2C p+2C
2. # of points =(x3 d=1, the E(3,1)= –2F.
p 5 149 173 197 233 281 317 401 677
Table A3. E(3,0) on y2 –3dx)modp; if n p
(C, F) (1,2) (7,10) (13,2) (1,14) (13,8) (5,16) (11,14) (1,20) (1,26)
d=0 p+2C p–2C p+2C p+2C p–2C p–2C p–2C p–2C p+2C
integer solution z of io 2) does exi
ConjectureA1: If (CF
E(3,0); (A6)
and
Tables A3.1 and A3.2}.
ConjectureA2: I
2
p C; {see Table A4}; Equat
gcd n (A
, b)=1, t not hen the
st.
re are four distinct counts for d=0,1,2,3:
E(3,0)=p+(Cmod4–2)(1–Fmod4); (A5)
E(3,2)=2p–
E(3,3)=2p–E(3,1); (A7)
{see
f gcd(CF,b)>1, then there are two distinct counts: p2C and
namely:
a).
b, 0 ;
p 2C C
mod 4 2 ;
(A9) od4=0},
2 .
(A10)
od4=2, then for every d
3, 2
mod 4 2
E d p C C ;
,1
E b E b pE (A8) b). if gcd
, 3 2
(CF, b) = 1,
then
, 0
, 2E b E b
c). if Fmodb=0 or {b|CandFm then
, 0
, 2 2
mod 4E b E b p C C
ConjectureA3: If b|C and Fm
(A11)
if Fmod4b=0, then for every d
3, 2 mod 4 2
E d p C C . of ConjectureA3.
U ed lem
We leave to the readers to figure out a formula for E(3,1)
[image:6.595.308.538.334.554.2](A12)
Table A5 illustrates all cases
A3. nsolv Prob
provided that (A7) holds and E(3,1) is equal either
2
p F or p2F, {see above Tables A3.1 and A3.2}.
Table A4. E(3,0)=E(3,2); E(3,1)=E(3,3).
p C F d=0,2 d=1,3
61 5 6 p+2C p–2C
97 9 4 p–2C p+2C
157 11 6 p–2C p+2C
241 15 4 p+2C p–2C
613 17 18 p+2C p–2C
853 23 18 p–2C p+2C
1933 13 42 p+2C p–2C
Table A5. E(3,0)=E(3,1)=E(3,2)=E(3,3).
p C F d=0,1,2,3
109 3 10 p–2C
181 9 10 p+2C
193 7 12 p+2C
277 9 14 p+2C
313 13 12 p–2C
